“Tencent QQ, popularly known as QQ, is an instant messaging software
service developed by Chinese company Tencent Holdings Limited. QQ also
offers a variety of services, including online social games, music,
shopping, microblogging, movies, platform of games and group and voice
chat. As of January 2015, there are 829 million active QQ accounts, with
a peak of 176.4 million simultaneous online QQ users." (Wikipedia)

QQ’s SSO system is susceptible to
Attacks. More specifically, the authentication of parameter
“&redirct_uri" in SSO system is insufficient. It can be misused to
design Open Redirect Attacks to QQ.

At the same time, it can be used to
collect sensitive information of both third-party app and users by using
the following parameters (sensitive information is contained in HTTP
header.),
“&response_type"=sensitive_info,token…
“&scope"=get_user_info%2Cadd_share…

It increases the likelihood of successful Open Redirect Attacks to third-party websites, too.

When a logged-in QQ user clicks the
URL ([1]) above, he/she will be asked for consent as in whether to allow
a third-party website to receive his/her information. If the user
clicks OK, he/she will be then redirected to the URL assigned to the
parameter “&redirect_uri".

If a user has not logged onto QQ and clicks the URL ([1]) above, the same situation will happen upon login.

After acceptance of third-party application:

A logged-in QQ user would no longer
be asked for consent and could be redirected to a webpage controlled by
the attacker when he/she clicks the URL ([1]).

For a user who has not logged in, the attack could still be completed after a pop-up page that prompts him/her to log in.

(2.1.1) QQ would normally
allow all the URLs that belong to the domain of an authorized
third-party website. However, these URLs could be prone to manipulation.
For example, the “&redirect_uri" parameter in the URLs is supposed
to be set by the third-party websites, but an attacker could change its
value to make Attacks.

Hence, a user could be redirected
from QQ to a vulnerable URL in that domain first and later be redirected
from this vulnerable site to a malicious site unwillingly. This is as
if the user is redirected from QQ directly. The number of QQ’s SSO
client websites is so huge that such Attacks could be commonplace.

Before acceptance of the third-party
application, QQ’s SSO system makes the redirects appear more
trustworthy and could potentially increase the likelihood of successful
Open Redirect Attacks of third-party website.

Once the user accepts the application, the attackers could completely bypass QQ’s authentication system and attack more easily.

Used one of webpages for the following tests. The webpage is “https://dailymem.wordpress.com/“. Can suppose it is malicious and contains code that collect sensitive information of both third-party app and users.

(3) What is Covert Redirect? Covert Redirect is a class of security bugsdisclosed in May 2014. It is an application that takes a parameter and
redirects a user to the parameter value without sufficient validation.
This often makes use of Open Redirect and XSS (Cross-site Scripting)
vulnerabilities in third-party applications.

Covert Redirect is also related to single sign-on, such as OAuth and OpenID. Hacker may use it to steal users’ sensitive information. Almost all
OAuth 2.0 and OpenID providers worldwide are affected. Covert Redirect
can work together with CSRF (Cross-site Request Forgery) as well.